That diagram is useful (although I have a different one I use with Clients!) , it does not really show Audit Management; there is a presentation by SN somewhere which talks more about how we might have 1st line and 2nd line, for Risk and Controls respectively, and then Audit is 3rd Line / Assurance... 

VRM can connect more at an operational level, but will do things like link questions of a vendor risk assessment to a control objective... 

there is a lot of interconnection, with profiles/entities at the heart of it all. 

I saw one diagram recently which put Authority Documents at the centre, which is not how I see it! 

This is such a broad question and difficult to answer on the community. I suggest the GRC Fundamentals course from ServiceNow to get a real introduction. It is a full day course but will set you up for success. 

Hello all, the slide below is the architecture slide I created to explain ServiceNow GRC to customers and partners. Will try to summarize an hour long conversation for you here.  To begin, basically, the 'entity' is at the center.  It is the glue that brings things together and enables the automation. 

Entity Types: the scope definitions (vie filters) that define a data set of people, places, and things to put under management.  Entities are created for each item to be managed.

Risk: frameworks are containers (buckets) consolidating the statements (risk templates). When a risk framework is related to a entity type, risk templates (statement) become individually assigned risks for each entity.

P&C: Authoritative documents are imported (via UCF or another), including the citations.  Control Objectives are also imported and stand as the control templates that will be created. (Note for later: control objectives are where audit test plans are defined.)  Policies are the unique organizational application of regulations, addressing their specific needs.  Control objectives are related to policies before publishing.  Once published, and related to an entity type, individual controls are assigned to each entity owner for any entity in scope for the policy.

Indicators: in P&C are used for continuous control monitoring. Later to be auto attached to an audit engagement as evidence.  In Risk are used to monitor specific situations for events that would auto escalate risks. 

Audit: In scoping, when entities are related to the engagement then advanced to field work, the risks and controls are auto related toe engagement for auditor review.  Control indicator results within the audit period are also auto related to the engagement. 

If you are still here (not TL/DR), assessments are used for both control attestations and risk assessments. 

I didn't cover everty element, but hopefully answered how the various applications fit together. 

@eric feron, maybe we should record a tutorial video.